Forum Discussion
Solved
Query to Get service Information of VM.
Hi,
I am trying to write a log search query which gives me the information about all the services that are stopped are started in services.msc for past 3 hours. I have tried to use ConfigurationChange after going through the documentation, but it seems to be deprecated. The logs are not a part of Event or Perf either. Can anyone guide me through this.
Thanks!
3 Replies
- Evgeny Ternovsky
Microsoft
I don't have any data in my subscriptions around services starting and stopping, but looking for event 7036 (The %1 service entered the %2 state) in the events table might be one approach. Not sure if it gets routed to the Event or SecurityEvent table, so can do a
union Event, SecurityEvent | where EventId == 7036 | ...
Thanks,
-EvgenyThanks Evgeny. It is getting logged in Event Table with
Service Control Manager as Source. But there is a time delay of around 15 minutes from when the service state is changed to the data visible in OMS portal. So I missed out earlier.I am trying to understand something else too. Some services are getting logged in ConfigurationChange Table and some are not like the below query worked for some services.ConfigurationChange | where ConfigChangeType == "WindowsServices" | where SvcDisplayName == "Xbox Live Auth Manager" | where SvcState == "Stopped"
Thanks,Akhila
